Secrets Manager: QA spec for non-CI API secret access (endpoint to OpenBao read)
Problem
Non-CI/CD secret access (#594090) is covered in-process by request specs tagged :gitlab_secrets_manager (which boot a real OpenBao server). That validates the mint-then-read path inside Rails, but not the real deployed network path an external client actually uses: a real token hitting the API, then the real external OpenBao URL.
Proposal
Add a QA spec for the non-CI API read path:
- Provision Secrets Manager on a project (and/or group).
- Create a secret.
- Call the new access-token endpoint via the API to get a JWT plus OpenBao connection details.
- Use the JWT to log into the real external OpenBao and read the secret.
- Assert the value matches.
This mirrors qa/qa/specs/features/ee/browser_ui/.../project_secret_ci_access_success_spec.rb (the pipeline read path) but for the API path. It reuses the existing SM QA scenario and helpers (qa/qa/ee/support/helpers/secrets_management/secrets_manager_helper.rb, qa/qa/scenario/test/integration/secrets_manager.rb).
Scope
- In scope: the QA spec for the endpoint to OpenBao read flow. No ESO, no Kubernetes cluster.
- Out of scope: a full ESO-in-a-cluster automated test. The QA framework has no ESO harness today, and the ESO flow is validated manually with design partners during 19.2 beta.
Related
- #594090 (endpoint, this issue's parent)